4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
Size

1.1MB
MD5

fbe67ee0e8074b0bfdad7c46fcd26e83
SHA1

aedaa7aac0179b0f6bd2ac3622fc162363646261
SHA256

4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7
SHA512

5de46a0b46d7b73c10d63983334a33e9811b5ec38969decd7c7e3dfb95a098546fde5f500a33ea589cdf4c0d0d7653df9ccbe6090c6ee6303724d8ebefdfd54c
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qr:CcaClSFlG4ZM7QzMM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1764	svchcst.exe

Executes dropped EXE 3 IoCs

pid	Process
1764	svchcst.exe
2788	svchcst.exe
4340	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe
1764	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
1764	svchcst.exe
1764	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
4340	svchcst.exe
4340	svchcst.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3828	4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	86
PID 4160 wrote to memory of 3828	4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	86
PID 4160 wrote to memory of 3828	4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	86
PID 4160 wrote to memory of 2224	4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	85
PID 4160 wrote to memory of 2224	4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	85
PID 4160 wrote to memory of 2224	4160	4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe	85
PID 2224 wrote to memory of 1764	2224	WScript.exe	90
PID 2224 wrote to memory of 1764	2224	WScript.exe	90
PID 2224 wrote to memory of 1764	2224	WScript.exe	90
PID 1764 wrote to memory of 4728	1764	svchcst.exe	92
PID 1764 wrote to memory of 4728	1764	svchcst.exe	92
PID 1764 wrote to memory of 4728	1764	svchcst.exe	92
PID 1764 wrote to memory of 8	1764	svchcst.exe	93
PID 1764 wrote to memory of 8	1764	svchcst.exe	93
PID 1764 wrote to memory of 8	1764	svchcst.exe	93
PID 8 wrote to memory of 2788	8	WScript.exe	97
PID 8 wrote to memory of 2788	8	WScript.exe	97
PID 8 wrote to memory of 2788	8	WScript.exe	97
PID 4728 wrote to memory of 4340	4728	WScript.exe	98
PID 4728 wrote to memory of 4340	4728	WScript.exe	98
PID 4728 wrote to memory of 4340	4728	WScript.exe	98

C:\Users\Admin\AppData\Local\Temp\4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe
"C:\Users\Admin\AppData\Local\Temp\4f5033de010b82597149301962813d9f68eb149dd1db7e35e9ca72328a7097e7.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4340
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
56ad6cf3d8e7424fd738c220a910e7e5

SHA1
248c14dd877dd69147045e59c839e499b198c42a

SHA256
7a8d476b3e13647ae79bd65d21604ea37fb33209af256ada73988bb3c30ef32b

SHA512
2dea78fa098007d5d4439e946bd14b135fd0f680f0e62ba16ec72d0ac374d8e6d8cc110f45ff90cbd4b4452bfa2b8808fed8b15b0c86686aeb3a5edf39f5f8bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bd0cc8385e2c94da465451e7bd8d4303

SHA1
6866d3d8d4bc37bbd976b44b74d4cef9b018da66

SHA256
099ad392a60ee09509cf2982deb126acb373115124e33c1c9d18931fa32af630

SHA512
5212403107457416b6b8e3c033c9521f744845edbf0c9bba5c962bea5946c2a24e1081cf472e907b3e16fb593b98c119802e3162e5260b30574f2c086af3d6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ed0a1a851ee34a52bb49033376c1834c

SHA1
b9224b15cba0f189ee2e5785aac04946242eba54

SHA256
2cca3ee7eaaf26103b8d6731256407b361237e7bc54ffb86299504c0a62e18f1

SHA512
10ad2226dea2d479e23db740334fd34b40bf7b492ceace4a9244e929f0bf4d5fc48b265b855d556192b1f0ad47e9987e8d7a160ed05b63ee3616527cb74dfb3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7f74b8f5baba9ec01e457b2bfe3142d4

SHA1
bcd0baa907ce255d0eb65b84edbe6c6ec8fbb5d1

SHA256
d03c3905d8f6f0581456709e1dabd311b3668fa077455a575d0fc13790e98950

SHA512
e01d2fc10a10849f0a8b2fe4e91d51fd8d5ba21784e122f5b4d7933498a098d12f59e2f04ab3448b7620831f0b01da3b249cc92b118124e82c9d48fdffc55235

Download Submit